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IFF SECURITY PROPOSAL WITH FACILITIES FOR SECURE DATA TRANSMISSION 



INTRODUCTION 

1. This paper presents a description of the cryptomathematical 
aspects of a device consisting of a shift register, several storage 
registers and two correspondence generators. Under proper usage this 
system should provide a means for secure IFF,, secure personal identification 
(PI), and a secure data transmission system. 

2. The basic system was initially proposed by the Communications 
Laboratory of "AFCRC and it was there that the first models of this system 
were constructed. 

DESCRIPTION OF ENCIPHERMENT 

1. Operations 

a. In order to simplify the description given in the following 
sections, it will be necessary to define symbols for the various operations 
used in the encipherment: +, 0 , G, S, Q, The first two will be explained 
initially; the other three will then be defined by .making use of a seven 
stage device, as shown in Figure 2. 

b. Vector addition, or ordinary non-carry binary addition, will 

be designated by + j e.g. 0+0 *= 1+1 = 0, 1+0 0+1 «= 1. The + shall stand for 

the operation of combining two vectors a and b in such a way that if 
a = 110110001 and b «= 01011, then a 0 b = (110110001) 0 (01011) « 
11011000101011. 
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c. In Figure 2 there is exhibited a seven stage device. This 
system will be used as an example in explaining the different operations 
of the device. 

d. The correspondence generator is merely a permutation arranged 
so that for any distinct set of three bits read from stages U, 5* and 6 in 
the shift register there is one and only one. output. A.s an example of this 
operation, let the contents of the sevep stages be represented by 

* 1 * *2* ••• "^6* *o ^* e * 

X = Xi * 2 x 3 x 4 X 5 *6 x o 
= 110110 0 . 

Since x^ x*j x^ maps or is permuted into an output (1,2,3), an input of 110 
into the correspondence generator becomes an output of Oil, see Figure 2. 
This is then added to x-^ x ^ to yield X 1 as follows: 

X = 13 01100 
Output = Oil 

X' =1011100 

Let this operation of reading of the value of the contents of stages 
h, 5, 6, permuting this value into any of the eight possible values, and 
then adding the result by non-carry binary addition (♦) to stage 1, 2, and 
3 of the shift register be defined by the operator G. That is in symbols 
X G = X'. 

e. Let S be an operator designating a cyclic shift from right to 




left with the contents of stage 1 being carried end around to stage 0. For 
example 
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X -1101100 
X S - 1 0 1 1 0 0 1. 

f. Let Q3G S, where the operations are carried out from left to 
right in sequence as follows: 

X-1101100 _ 

X Q ** X G S - (XG)S ■ (1 0 1 1 1 0 0)8 
*=011100 1 . 

Basically these are the only operations involved in the system. 

2. IFF 

a. To use this system as a 86010*0 IFF we must be able to encipher, 
in a manner which can be duplicated on the ground, a randomly selected 
challenge (C * c Q c-^ c 2 C 3 c^ c^). Several different methods have been 
tried but the one method which appears to offer.’the most complexity is that 
of serial loading. 

b. The device in its normal state of rest will have the additive 
key (X Q ) inserted in the shift register and will be ready to receive the 
interrogation pulses as they arrive. The interrogation will be preceeded 
by a series of synchronization pulses which will indicate what mode of 
operation is to be performed. After receiving the synchronization pulses 
and setting up the proper gates for calculating a normal IFF reply the 
operation will proceed as follows. Let X 0 be the initial setting of the 
shift register, that is let X Q be the additive key. Then as the first bit 
c 0 of the interrogation is received it is added (+) to the zero stage of 
the shift register, or symbolically X Q + c 0 * *1 X 2 x 3 X U x 5 *6 ( x o +c o)» 
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Next X Q + c Q is operated on by Q. Let the result of this operation be 
designated by X ± , thus (X Q +c 0 ) Q ■= X^ When the second bit arrives, 
it is added to position zero of the shift register. Q again is applied, 
giving X 2 . This process can be represented symbolically as follows: 

X 0 = additive key 

X 1 - (X 0 +c o) GS» (X 0 + $o) Q 

X 2 - (X^) Q 

X 3 * (X 2 + c 2 ) Q 
X u - (X 3 +c 2 ) Q 

X 5 - <V°4> Q 
X 6 - ( X 5 +c 5> Q 
X ? * (X 6 +c 6 ) Q 
or 

Xy - (((((((X 0 +c 0 )Q+c 1 )C?+c 2 )Q+C3)Q+c 5 )Q+c6) Q. 

All bits of the interrogation have now been loaded into the shift register. 
However, the degree of complexity involving the last several bits (c^, c^, c^) 
is not sufficient to give the system adequate security. Therefore, Q shall 
be applied seven more times as follows: 

((«(((x 7 )Q)Q)Q)Q)Q)Q)Q ■ (x 7 ; q 7 . 

This completes the encipherment. 

c. In order to obtain the reply, read the values of any three of 
the stages (in the example stages 1, 2, and 3 are used) and transmit their 
value as the reply. 

d. The detailed operations involved in a complete encipherment 
are illustrated in Figure 3* 
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e. The prepeding paragraphs described the method of calculation 
of a reply from an interrogation for a 7-stage shift register. Now, let 
us extend this operation to the 24-stage system. The operator G will now 
represent the reading from 4 stages instead of 3, permuting this value 
simultaneously through two correspondence generators and adding (+) the 
results to 2 distinct sets of 4 stages each in the shift register. These 
sets will be distinct from the reading set. See Figure 1, The operator 
S is the same (cyclic shift from right to left with end around carry). 

The interrogation will now consist of 24 bits, C = c Q c-^ c 2 ••• <^22 c 23* 
and 4 bits instead of 3 will be used in the reply. 

f. The reply is calculated as follows: first, determine X,g* 

24 4 

X 48 * ({(•••<((X o + c o )Q+c 1 ) 0 +c 2 )Q+...+C 22 )Q + C 23 )Q) Q J second, from 
Xj |S sclcci. 4 bits say x 2 x-j x^ as the reply. 

g. The interrogator, who is on the other end of this transmission, 
performs th~ name operations on the challenge (interrogation) that he has 
transmitted, then holds the result until he receives the reply. Upon re- 
viving the reply he compares this with the one ho has calculated and upon 
a scries of say 10 such comparisions he is able to distinguish friends from 
enemies . 

3. Secure Personal Identification 

a. The operations of this system when used for secure PI are 
basically the same with two alight exceptions: first the contents of the 

entire shift register are transmitted in the reply, and second the 
interrogator, as we will see later, must be able to shift his shift 
rogioter in cither direction. 
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b. Aftep having received the synchronisation pulses, which are 
different from those used in IFF, the device is automatically set up to 
jiiPfdPift the following operations (upon receipt of the interrogation 
3 E 8 0 6 1 c 23 , which is identical to the preceding challenge); First, 

determine where X 2 ^ m ( • . .((X q +C 0 )Q+c^)Q+, . .+Cg 3 ) Q. Second, to X^ 
add (+) the PI or PI ® A (see lb) where A niight be an indication of the 
amount of fuel remaining, i.e. X 2 ^ + (KC © A) SX'^, Third, determine 



^4 



2h' 



X'^g where X' ^g = (X 1 2 ^) Q . Finally the reply X'^g (all 24 bits) is 
transmitted to the interrogator. 



c. In the meantime the interrogator has calculated X 2 ^ and trans- 
ferred it to a storage register awaiting the reply X'^g, Having received 
X’^g he proceeds to operate backwards. First he shifts his shift register, 
which contains X'^g, from left to right. Let this shift from left to right 

be designated by S - ^. Next he operates with G, which yields X', 7 = X'.-S "S 

-1 -1 -1 -1 4 ‘ 

Since X*^g, = X'^ Q, l et us define Q as S G, i.e. Q sS G, and further 



let (Q“^) = ( (((X) Q“‘ l )Q“- l )Q " l )Q” x or any other power n such that Q 



■\“l\n““l\ «“1 



-n 



means 



to apply Q""^ successively n times. Hence X' ? , = (X'.r,) Q 



-24 



24 
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By 



adding (+) X 2 ^ to X' 2 ^ we have X 2 ^ + X' 2 ^ = PI 0 A which not only gives 
the interrogates' s PI but also gives the amount of fuel (or other vital 
information) to the interrogator. See Figure 4 for a detailed calculation 
using a seven stage device. 

d. There are other types of operational procedures that can be 
used to obtain a PI reply from a particular aircraft rather than having 
all aircraft in a given area responding at once. The details of these 
and other modifications will not be included at this time. 
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Data Transmission 

a. Even though the operations involved in using this system for 
data transmission are rather complex, it should be borne in mind that this 
facility is an extra or bonus since most of the equipment would already be 
present for the IFF system. The system as proposed is essentially a discrete 
address system wherein a set of data is sent *to. one receiver (or under a 
prearranged address system to one group* of receivers) • 

b. Under the assumption that there will always be more than one 

aircraft within receiving range, it will be necessary to set up a closed 
circuit between the transmitter on the ground and the receiver in the 
aircraft. This will be accomplished as follows: First, the ground will 

transmit a normal challenge C which is preceeded by a special set of 
synchronization pulses that trigger the proper ^ates for data transmission 
operation. Then for the seven stage device he calculates Xy as in 
Figure 5(a) and stores it for future use. For simplicity let X^sH. 

s 

Second, the aircraft receives the challenge and calculates H (Xy) and he 

too stores H for future use. To the value of H which is still in his shift 

register is added his FI and the initial value K Q of his counter (K). Call 

the result of this operation X"y, where X"y H + PI (£> K Q . The counter 

(K) is a binary counter of 3 stages in the seven stage device which counts 

0 , 1 » 2, 3, 4, 5, 6, 7 , 0 , 1 , • •• and it is not reset to 0 . K 0 would 

represent some initial value and would represent the next value in the 

7 

sequence. Operate on X"y with Q to obtain X"^, the reply. This entire 
operation in symbols is * * *((X 0 +c 0 )Q+Ci)Q+ ... + c^)Q+{PI © K 0 }J Q? . 

7 
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The reply i3 then sent to the ground. See Figure 5(b). Third, the ground 

“7 

receives the reply' (X”-^) and operates on it as follows: (X"^) Q + H = PI<f>K 0 . 

The {FI © K 0 } is complemented, that is 0's become l's and vice versa then 
(H+{PI ® K 0 } ) Q ^ * X*^ " C. S. C. S. is transmitted to the aircraft 
as a call sign for the aircraft with this particular PI and K Q » See Figure 
5(c) and (d). Fourth, C. S. is deciphered in the aircraft as follows: 

(C. S.) Q^+h + (PI ® K^) *1111111 when the result of this calculation 
is all one’s he transmits a pulse Indicating correct reception. In- general 
(a) Q n = (b) Q n if and only if a = b. Since a and b are of the form 
HHPI © K 0 }> then the other aircraft within receiving range that have 
different Pi’s can not get all ones. Those that do not get ones would 
automatically ignore the message transmissions. The calculations for 
this atop are carried out in Figure 5(e)* This completes the setting up 
of a closed circuit. 

c. The remaining operations consist of transmitting the messages. 
However, since K 0 has already been used in the setup, the total number of 
me3sages which can be sent on one setup is limited to one less than the 
total number of settings of K. The messages (for the seven stage device) 
are enciphered as follows, where is message i and EM, i s the enciphered 
nos sago : 

M x ( Ground) (H+{M! © K^}) Q~ 7 = EM X j 
(Air) (EMj) Q 7 +H+K 1 = © 0j 

Acknowledge correct receipt of 
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M2 (Ground) (H+{M 2 O Kg}) Q 7 ■* EM 2 J 
(Air) (EM 2 ) Q 7 +H+K 2 => M 2 0 0 
Acknowledge correct receipt of Mgj and so forth. 
See Figures 5(f) and 5(g)* 

d. The fact that the aircraft must obtain a 0 in the positions 
normally occupied by K gives an excellent check for transmission and other 
errors . 

e. After a predetermined time the transponders in the aircraft go 
back into their normal state, that is in a stand-by status awaiting an 
interrogation. 

KF.Y 

1. The daily key will consist of the additive key, correspondence 
genorator one and correspondence generator two.* The read, write and reply 
read-out positions are fixed and given in Figure 1. 

pi V 

2. There are 2 -1 or approximately 1.7 x 10 usable additive keys. 
The key consisting of all zeros will not be used’, 

3. Sinco the correspondence generators are permutors of 16 elements, 

13 

there are l6l or approximately 2.1 x 10 different set-ups for each 
correspondence generator. However, no permutation which can be represent- 
ed by a linear transformation can be used, therefore the 28,080 per- 
mutations which can be represented by linear transformation must be sub- 

13 

tr-.'-i.-d from the total number (2.1 x 10 ) of set-ups to give the usable 

n-ml •:r of permutations for each correspondence generator. 
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U . The total- number of usable keys is (2 2 ^-l) (161-28,080) (161-28,080) 
or approximately (1.7 x 10^)(2.1 x 10^)(2.1 x 10^) = 7 x 10^. 

5. In order to avoid the selection of a linear permutation for U3e 
in the key list the proposed key could be simply tested for linearity by 
a properly designed digital computor program. 

6. In order to insure that the key is properly set up in the device 
a test setting (X 0 )Q^ will be inserted into a separate register. The 
Officer who inserts the key will push a button and have the device with its 
new key run thru the 96 settings and check the 96 th setting against the 
check setting furnished by the key list. If the two settings are 
identical, then the Officer knows that the key has been properly inserted and 
that the crypto-unit is functioning properly. After the initial test the 
device will automatically check itself at regular intervals, say every two 
minutes. Any time a failure occurs the device rechecks itself several 
times; if the system continues to fail then the system is automatically 
switched into emergency mode of operation and the pilot is informed. 



Carey C. Tison 

NSA-314 

30 March 1955 
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